Phantom jobs in Task Scheduler

  • Thread starter Thread starter Joe DePrimo
  • Start date Start date
J

Joe DePrimo

I have two jobs that try to run (parent PID mstask.exe) apparently
under the Task Scheduler. This started recently even though the
software trying to be run was uninstalled months ago. The attempts
fail because the DLL's being run via rundll32 no longer exist.

The only changes on this server (Win2k Advanced Server, SP4 Build
2195) have been the updates that come from Windows Update and my
anti-virus vendor. (I've also checked for viruses using the latest
definitions.)

One of the jobs runs every 15 minutes and another every hour. I did
a lot of investigation and found references to the jobs in the log
file for Task Scheduler (Control-Panel -> Scheduled Tasks, then pick
"View Log" from the advanced menu). This revealed the job names:
* IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}001.job
* IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}000.job

Neither of these jobs shows in the list in the Scheduled Tasks folder,
only as errors in the log file.

I've scanned the whole disk drive (including contents of files) and
the registry and can find no references to the GUID in the job names
above.

Where could mstask be getting these jobs from? Where could I look to
get rid of them?

Thanks in advance for any help.
 
Joe,
Joe DePrimo said:
I have two jobs that try to run (parent PID mstask.exe) apparently
under the Task Scheduler. This started recently even though the
software trying to be run was uninstalled months ago. The attempts
fail because the DLL's being run via rundll32 no longer exist.

The only changes on this server (Win2k Advanced Server, SP4 Build
2195) have been the updates that come from Windows Update and my
anti-virus vendor. (I've also checked for viruses using the latest
definitions.)

One of the jobs runs every 15 minutes and another every hour. I did
a lot of investigation and found references to the jobs in the log
file for Task Scheduler (Control-Panel -> Scheduled Tasks, then pick
"View Log" from the advanced menu). This revealed the job names:
* IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}001.job
* IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}000.job

Neither of these jobs shows in the list in the Scheduled Tasks folder,
only as errors in the log file.

I've scanned the whole disk drive (including contents of files) and
the registry and can find no references to the GUID in the job names
above.

Where could mstask be getting these jobs from? Where could I look to
get rid of them?

Thanks in advance for any help.
Click to expand...

I can see 2 possibilities to explain this:

1) the JOB files are marked hidden, hence they don't show up in the
MSTask GUI. To check for this, navigate to the tasks folder
start/run/cmd
cd\WinNT\tasks
dir /a:h

you should only see desktop.ini and a *.dat file, but no JOBs

2) part of the App is still present and it is creating a JOB file
on the fly which will delete itself when after it finishes. I have
no
idea how to trace this expect to check your running processes and
eliminate the obvious till you narrow down to the offender.

hth,
Mark Pryor
 
Mark,

Thanks, option #1 did the trick. I found the hidden jobs via the dir
command. I have my explorer set to "show hidden files and folders"
but that does not do the same thing, apparently.

Now I know how to look for these things...
 
Back
Top